remcos | 0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

General

Target

wininit.exe
Size

1.3MB
MD5

ddee86f4db0d3b8010110445b0545526
SHA1

b41380b50d17dd679f85a224771398b81966bb9e
SHA256

0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5
SHA512

4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710
SSDEEP

24576:UAHnh+eWsN3skA4RV1Hom2KXMmHa8eaRqz66t/uRLiLjsyVvoCFKyO5:jh+ZkldoPK8Ya8twLjsya

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Drops startup file 1 IoCs

Processes:

word.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs word.exe
Executes dropped EXE 1 IoCs

Processes:

word.exe

pid process

3316 word.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs	word.exe

pid	process
3316	word.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\word.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

word.exe

description pid process target process

PID 3316 set thread context of 3388 3316 word.exe svchost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

3388 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

word.exe

pid process

3316 word.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

wininit.exeword.exe

pid process

4808 wininit.exe
4808 wininit.exe
3316 word.exe
3316 word.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

wininit.exeword.exe

pid process

4808 wininit.exe
4808 wininit.exe
3316 word.exe
3316 word.exe

description	pid	process	target process
PID 3316 set thread context of 3388	3316	word.exe	svchost.exe

pid	process
3388	svchost.exe

pid	process
3316	word.exe

pid	process
4808	wininit.exe
4808	wininit.exe
3316	word.exe
3316	word.exe

pid	process
4808	wininit.exe
4808	wininit.exe
3316	word.exe
3316	word.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wininit.exeword.exe

description	pid	process	target process
PID 4808 wrote to memory of 3316	4808	wininit.exe	word.exe
PID 4808 wrote to memory of 3316	4808	wininit.exe	word.exe
PID 4808 wrote to memory of 3316	4808	wininit.exe	word.exe
PID 3316 wrote to memory of 3388	3316	word.exe	svchost.exe
PID 3316 wrote to memory of 3388	3316	word.exe	svchost.exe
PID 3316 wrote to memory of 3388	3316	word.exe	svchost.exe
PID 3316 wrote to memory of 3388	3316	word.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\directory\word.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Maianthemum
Filesize
29KB

MD5
1680954b249062aa27483ac80d9d2016

SHA1
acb196e38638fa7332a450b8ed9c127f1d56acff

SHA256
3614592179f15f4bc0cba05bac8e9dd7e545e6f623bd71b841aaa665f82b16cb

SHA512
9c94ec10f0577953a6bbc994b1339d9e414622efd07e4a61f31c5213f588d7327bd772c225a7a127736b721ec026ff836cf4167f9467dbf6df819bdec6e2ed93

Download Submit
C:\Users\Admin\AppData\Local\Temp\croc
Filesize
483KB

MD5
ceea497fc0601e397a9b0dba479b6ad3

SHA1
b791fd1115d9517d7e9cb9a987db2307aa900f67

SHA256
a17f87f849572c5977fa38198d6697a248424f2559aed98136834e188ac2d3f2

SHA512
702cff5d69b609e25d75545f58352aecf7ed28730c012f3a4ce6113842ebcda3308bc05e7658c27a260dec0bebaf25cad2bda1bff476aa79b2bb0ed4ad561858

Download Submit
C:\Users\Admin\AppData\Local\directory\word.exe
Filesize
108.3MB

MD5
febfee4d1d6e1e9b755525d605f91598

SHA1
61dafd5a13cd5742b5ed3727f70a1a3b566a7fe0

SHA256
d14cb6f009e28fea983cd5af5c28869cee01762d60e6716004b7abcefdda8a21

SHA512
4a3f01346bd1ab0c2c8cd4c96e25ee7af424b3c0895ae5a99d6a2b94013c6cacc671736b413c621d1902dd307a9fe5198f501f07e71c373376a638d0c8d1a398

Download Submit
memory/3388-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-51-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3388-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4808-10-0x0000000000BF0000-0x0000000000BF4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing